Read Permanent Record Online

Authors: Edward Snowden

Permanent Record (16 page)

BOOK: Permanent Record
9.02Mb size Format: txt, pdf, ePub
ads

This layering method is called onion routing, which gives Tor its name: it’s The Onion Router. The classified joke was that trying to surveil the Tor network makes spies want to cry. Therein lies the project’s irony: here was a US military–developed technology that made cyberintelligence simultaneously harder and easier, applying hacker know-how to protect the anonymity of IC officers, but only at the price of granting that same anonymity to adversaries and to average users across the globe. In this sense, Tor was even more neutral than Switzerland. For me personally, Tor was a life changer, bringing me back to the Internet of my childhood by giving me just the slightest taste of freedom from being observed.

N
ONE OF THIS
account of the CIA’s pivot to cyberintelligence, or SIGINT on the Internet, is meant to imply that the agency wasn’t still doing some significant HUMINT, in the same manner in which it had always done so, at least since the advent of the modern IC
in the aftermath of World War II. Even I got involved, though my most memorable operation was a failure. Geneva was the first and only time in my intelligence career in which I made the personal acquaintance of a target—the first and only time that I looked directly into the eyes of a human being rather than just recording their life from afar. I have to say, I found the whole experience unforgettably visceral and sad.

Sitting around discussing how to hack a faceless UN complex was psychologically easier by a wide margin. Direct engagement, which can be harsh and emotionally draining, simply doesn’t happen that much on the technical side of intelligence, and almost never in computing. There is a depersonalization of experience fostered by the distance of a screen. Peering at life through a window can ultimately abstract us from our actions and limit any meaningful confrontation with their consequences.

I met the man at an embassy function, a party. The embassy had lots of those, and the COs always went, drawn as much by the opportunities to spot and assess potential candidates for recruitment as by the open bars and cigar salons.

Sometimes the COs would bring me along. I’d lectured them on my specialty long enough, I guess, that now they were all too happy to lecture me on theirs, cross-training me to help them play “spot the sap” in an environment where there were always more people to meet than they could possibly handle on their own. My native geekiness meant I could get the young researchers from CERN (Conseil Européen pour la Recherche Nucléaire: European Council for Nuclear Research) talking about their work with a voluble excitement that the MBAs and political science majors who comprised the ranks of our COs had trouble provoking on their own.

As a technologist, I found it incredibly easy to defend my cover. The moment some bespoke-suited cosmopolite asked me what I did, and I responded with the four words “I work in IT” (or, in my improving French,
je travaille dans l’informatique
), their interest in me was over. Not that this ever stopped the conversation. When
you’re a fresh-faced professional in a conversation outside your field, it’s never that surprising when you ask a lot of questions, and in my experience most people will jump at the chance to explain exactly how much more they know than you do about something they care about deeply.

The party I’m recalling took place on a warm night on the outside terrace of an upscale café on one of the side streets alongside Lake Geneva. Some of the COs wouldn’t hesitate to abandon me at such a gathering if they had to in order to sit as close as possible to whatever woman happened to match their critical intelligence-value indicators of being highly attractive and no older than a student, but I wasn’t about to complain. For me, spotting targets was a hobby that came with a free dinner.

I took my plate and sat down at a table next to a well-dressed Middle Eastern man in a cuff-linked, demonstratively Swiss pink shirt. He seemed lonely, and totally exasperated that no one seemed interested in him, so I asked him about himself. That’s the usual technique: just be curious and let them talk. In this case, the man did so much talking that it was like I wasn’t even there. He was Saudi, and told me about how much he loved Geneva, the relative beauties of the French and Arabic languages, and the absolute beauty of this one Swiss girl with whom he—yes—had a regular date playing laser tag. With a touch of a conspiratorial tone, he said that he worked in private wealth management. Within moments I was getting a full-on polished presentation about what, exactly, makes a private bank private, and the challenge of investing without moving markets when your clients are the size of sovereign wealth funds.

“Your clients?” I asked.

That’s when he said, “Most of my work is on Saudi accounts.”

After a few minutes, I excused myself to go to the bathroom, and on the way there I leaned over to tell the CO who worked finance targets what I’d learned. After a necessarily too-long interval “fixing my hair,” or texting Lindsay in front of the bathroom mirror, I returned to find the CO sitting in my chair. I waved to my
new Saudi friend before sitting down beside the CO’s discarded, smoky-eyed date. Rather than feeling bad, I felt like I’d really earned the Pavés de Genève that were passed around for dessert. My job was done.

The next day, the CO, whom I’ll call Cal, heaped me with praise and thanked me effusively. COs are promoted or passed over based primarily on how effective they are at recruiting assets with access to information on matters substantial enough to be formally reported back to headquarters, and given Saudi Arabia’s suspected involvement in financing terror, Cal felt under tremendous pressure to cultivate a qualifying source. I was sure that in no time at all our fellow party guest would be getting a second paycheck from the agency.

That was not quite how it worked out, however. Despite Cal’s regular forays with the banker to strip clubs and bars, the banker wasn’t warming up to him—at least not to the point where a pitch could be made—and Cal was getting impatient.

After a month of failures, Cal was so frustrated that he took the banker out drinking and got him absolutely plastered. Then he pressured the guy to drive home drunk instead of taking a cab. Before the guy had even left the last bar of the night, Cal was calling the make and plate number of his car to the Geneva police, who not fifteen minutes later arrested him for driving under the influence. The banker faced an enormous fine, since in Switzerland fines aren’t flat sums but based on a percentage of income, and his driver’s license was suspended for three months—a stretch of time that Cal would spend, as a truly wonderful friend with a fake-guilty conscience, driving the guy back and forth between his home and work, daily, so that the guy could “keep his office from finding out.” When the fine was levied, causing his friend cash-flow problems, Cal was ready with a loan. The banker had become dependent, the dream of every CO.

There was only one hitch: when Cal finally made the pitch, the banker turned him down. He was furious, having figured out the planned crime and the engineered arrest, and felt betrayed that
Cal’s generosity hadn’t been genuine. He cut off all contact. Cal made a halfhearted attempt to follow up and do damage control, but it was too late. The banker who’d loved Switzerland had lost his job and was returning—or being returned—to Saudi Arabia. Cal himself was rotated back to the States.

Too much had been hazarded, too little had been gained. It was a waste, which I myself had put in motion and then was powerless to stop. After that experience, the prioritizing of SIGINT over HUMINT made all the more sense to me.

In the summer of 2008, the city celebrated its annual Fêtes de Genève, a giant carnival that culminates in fireworks. I remember sitting on the left bank of Lake Geneva with the local personnel of the SCS, or Special Collection Service, a joint CIA-NSA program responsible for installing and operating the special surveillance equipment that allows US embassies to spy on foreign signals. These guys worked down the hall from my vault at the embassy, but they were older than I was, and their work was not just way above my pay grade but way beyond my abilities—they had access to NSA tools that I didn’t even know existed. Still, we were friendly: I looked up to them, and they looked out for me.

As the fireworks exploded overhead, I was talking about the banker’s case, lamenting the disaster it had been, when one of the guys turned to me and said, “Next time you meet someone, Ed, don’t bother with the COs—just give us his email address and we’ll take care of it.” I remember nodding somberly to this, though at the time I barely had a clue of the full implications of what that comment meant.

I steered clear of parties for the rest of the year and mostly just hung around the cafés and parks of Saint-Jean Falaises with Lindsay, taking occasional vacations with her to Italy, France, and Spain. Still, something had soured my mood, and it wasn’t just the banker debacle. Come to think of it, maybe it was banking in general. Geneva is an expensive city and unabashedly posh, but as 2008 drew to a close its elegance seemed to tip over into extravagance, with a massive influx of the superrich—most of them
from the Gulf states, many of them Saudi—enjoying the profits of peak oil prices on the cusp of the global financial crisis. These royal types were booking whole floors of five-star grand hotels and buying out the entire inventories of the luxury stores just across the bridge. They were putting on lavish banquets at the Michelin-starred restaurants and speeding their chrome-plated Lamborghinis down the cobbled streets. It would be hard at any time to miss Geneva’s display of conspicuous consumption, but the profligacy now on display was particularly galling—coming as it did during the worst economic disaster, as the American media kept telling us, since the Great Depression, and as the European media kept telling us, since the interwar period and Versailles.

It wasn’t that Lindsay and I were hurting: after all, our rent was being paid by Uncle Sam. Rather, it’s that every time she or I would talk to our folks back home, the situation seemed grimmer. Both of our families knew people who’d worked their entire lives, some of them for the US government, only to have their homes taken away by banks after an unexpected illness made a few mortgage payments impossible.

To live in Geneva was to live in an alternative, even opposite, reality. As the rest of the world became more and more impoverished, Geneva flourished, and while the Swiss banks didn’t engage in many of the types of risky trades that caused the crash, they gladly hid the money of those who’d profited from the pain and were never held accountable. The 2008 crisis, which laid so much of the foundation for the crises of populism that a decade later would sweep across Europe and America, helped me realize that something that is devastating for the public can be, and often is, beneficial to the elites. This was a lesson that the US government would confirm for me in other contexts, time and again, in the years ahead.

16
Tokyo

The Internet is fundamentally American, but I had to leave America to fully understand what that meant. The World Wide Web might have been invented in Geneva, at the CERN research laboratory in 1989, but the ways by which the Web is accessed are as American as baseball, which gives the American Intelligence Community the home field advantage. The cables and satellites, the servers and towers—so much of the infrastructure of the Internet is under US control that over 90 percent of the world’s Internet traffic passes through technologies developed, owned, and/or operated by the American government and American businesses, most of which are physically located on American territory. Countries that traditionally worry about such advantages, like China and Russia, have attempted to make alternative systems, such as the Great Firewall, or the state-sponsored censored search engines, or the nationalized satellite constellations that provide selective GPS—but America remains the hegemon, the keeper of the master switches that can turn almost anyone on and off at will.

It’s not just the Internet’s infrastructure that I’m defining as fundamentally American—it’s the computer software (Microsoft,
Google, Oracle) and hardware (HP, Apple, Dell), too. It’s everything from the chips (Intel, Qualcomm), to the routers and modems (Cisco, Juniper), to the Web services and platforms that provide email and social networking and cloud storage (Google, Facebook, and the most structurally important but invisible Amazon, which provides cloud services to the US government along with half the Internet). Though some of these companies might manufacture their devices in, say, China, the companies themselves are American and are subject to American law. The problem is, they’re also subject to classified American policies that pervert law and permit the US government to surveil virtually every man, woman, and child who has ever touched a computer or picked up a phone.

Given the American nature of the planet’s communications infrastructure, it should have been obvious that the US government would engage in this type of mass surveillance. It should have been especially obvious to me. Yet it wasn’t—mostly because the government kept insisting that it did nothing of the sort, and generally disclaimed the practice in courts and in the media in a manner so adamant that the few remaining skeptics who accused it of lying were treated like wild-haired conspiracy junkies. Their suspicions about secret NSA programs seemed hardly different from paranoid delusions involving alien messages being beamed to the radios in our teeth. We—me, you, all of us—were too trusting. But what makes this all the more personally painful for me was that the last time I’d made this mistake, I’d supported the invasion of Iraq and joined the army. When I arrived in the IC, I felt sure that I’d never be fooled again, especially given my top secret clearance. Surely that had to count for some degree of transparency. After all, why would the government keep secrets from its secret keepers? This is all to say that the obvious didn’t even become the thinkable for me until some time after I moved to Japan in 2009 to work for the NSA, America’s premier signals intelligence agency.

It was a dream job, not only because it was with the most advanced intelligence agency on the planet, but also because it was
based in Japan, a place that had always fascinated Lindsay and me. It felt like a country from the future. Though mine was officially a contractor position, its responsibilities and, especially, its location were more than enough to lure me. It’s ironic that only by going private again was I put in a position to understand what my government was doing.

On paper, I was an employee of Perot Systems, a company founded by that diminutive hyperactive Texan who founded the Reform Party and twice ran for the presidency. But almost immediately after my arrival in Japan, Perot Systems was acquired by Dell, so on paper I became an employee of Dell. As in the CIA, this contractor status was all just formality and cover, and I only ever worked in an NSA facility.

The NSA’s Pacific Technical Center (PTC) occupied one-half of a building inside the enormous Yokota Air Base. As the headquarters of US Forces Japan, the base was surrounded by high walls, steel gates, and guarded checkpoints. Yokota and the PTC were just a short bike ride from where Lindsay and I got an apartment in Fussa, a city at the western edge of Tokyo’s vast metropolitan spread.

The PTC handled the NSA’s infrastructure for the entire Pacific, and provided support for the agency’s spoke sites in nearby countries. Most of these were focused on managing the secret relationships that let the NSA cover the Pacific Rim with spy gear, as long as the agency promised to share some of the intelligence it gleaned with regional governments—and so long as their citizens didn’t find out what the agency was doing. Communications interception was the major part of the mission. The PTC would amass “cuts” from captured signals and push them back across the ocean to Hawaii, and Hawaii, in turn, would push them back to the continental United States.

My official job title was systems analyst, with responsibility for maintaining the local NSA systems, though much of my initial work was that of a systems administrator, helping to connect the NSA’s systems architecture with the CIA’s. Because I was the only
one in the region who knew the CIA’s architecture, I’d also travel out to US embassies, like the one I’d left in Geneva, establishing and maintaining the links that enabled the agencies to share intelligence in ways that hadn’t previously been possible. This was the first time in my life that I truly realized the power of being the only one in a room with a sense not just of how one system functioned internally, but of how it functioned together with multiple systems—or didn’t. Later, as the chiefs of the PTC came to recognize that I had a knack for hacking together solutions to their problems, I was given enough of a leash to propose projects of my own.

Two things about the NSA stunned me right off the bat: how technologically sophisticated it was compared with the CIA, and how much less vigilant it was about security in its every iteration, from the compartmentalization of information to data encryption. In Geneva, we’d had to haul the hard drives out of the computer every night and lock them up in a safe—and what’s more, those drives were encrypted. The NSA, by contrast, hardly bothered to encrypt anything.

In fact, it was rather disconcerting to find out that the NSA was so far ahead of the game in terms of cyberintelligence yet so far behind it in terms of cybersecurity, including the most basic: disaster recovery, or backup. Each of the NSA’s spoke sites collected its own intel, stored the intel on its own local servers, and, because of bandwidth restrictions—limitations on the amount of data that could be transmitted at speed—often didn’t send copies back to the main servers at NSA headquarters. This meant that if any data were destroyed at a particular site, the intelligence that the agency had worked hard to collect could be lost.

My chiefs at the PTC understood the risks the agency was taking by not keeping copies of many of its files, so they tasked me with engineering a solution and pitching it to the decision makers at headquarters. The result was a backup and storage system that would act as a shadow NSA: a complete, automated, and constantly updating copy of all of the agency’s most important
material, which would allow the agency to reboot and be up and running again, with all its archives intact, even if Fort Meade were reduced to smoldering rubble.

The major problem with creating a global disaster-recovery system—or really with creating any type of backup system that involves a truly staggering number of computers—is dealing with duplicated data. In plain terms, you have to handle situations in which, say, one thousand computers all have copies of the same single file: you have to make sure you’re not backing up that same file one thousand times, because that would require one thousand times the amount of bandwidth and storage space. It was this wasteful duplication, in particular, that was preventing the agency’s spoke sites from transmitting daily backups of their records to Fort Meade: the connection would be clogged with a thousand copies of the same file containing the same intercepted phone call, 999 of which the agency did not need.

The way to avoid this was “deduplication”: a method to evaluate the uniqueness of data. The system that I designed would constantly scan the files at every facility at which the NSA stored records, testing each “block” of data down to the slightest fragment of a file to find out whether or not it was unique. Only if the agency lacked a copy of it back home would the data be automatically queued for transmission—reducing the volume that flowed over the agency’s transpacific fiber-optic connection from a waterfall to a trickle.

The combination of deduplication and constant improvements in storage technology allowed the agency to store intelligence data for progressively longer periods of time. Just over the course of my career, the agency’s goal went from being able to store intelligence for days, to weeks, to months, to five years or more after its collection. By the time of this book’s publication, the agency might already be able to store it for decades. The NSA’s conventional wisdom was that there was no point in collecting anything unless they could store it until it was useful, and there was no way to predict when exactly that would be. This rationalization was fuel
for the agency’s ultimate dream, which is permanency—to store all of the files it has ever collected or produced for perpetuity, and so create a perfect memory. The permanent record.

The NSA has a whole protocol you’re supposed to follow when you give a program a code name. It’s basically an I Ching–like stochastic procedure that randomly picks words from two columns. An internal website throws imaginary dice to pick one name from column A, and throws again to pick one name from column B. This is how you end up with names that don’t mean anything, like FOXACID and EGOTISTICALGIRAFFE. The point of a code name is that it’s not supposed to refer to what the program does. (As has been reported, FOXACID was the code name for NSA servers that host malware versions of familiar websites; EGOTISTICALGIRAFFE was an NSA program intended to exploit a vulnerability in certain Web browsers running Tor, since they couldn’t break Tor itself.) But agents at the NSA were so confident of their power and the agency’s absolute invulnerability that they rarely complied with the regulations. In short, they’d cheat and redo their dice throws until they got the name combination they wanted, whatever they thought was cool: TRAFFICTHIEF, the VPN Attack
O
rchestrator.

I swear I never did that when I went about finding a name for my backup system. I swear that I just rolled the bones and came up with EPICSHELTER.

Later, once the agency adopted the system, they renamed it something like the Storage Modernization Plan or Storage Modernization Program. Within two years of the invention of EPICSHELTER, a variant had been implemented and was in standard use under yet another name.

T
HE MATERIAL THAT
I disseminated to journalists in 2013 documented such an array of abuses by the NSA, accomplished through such a diversity of technological capabilities, that no one agent in the daily discharge of their responsibilities was ever in the position
to know about all of them—not even a systems administrator. To find out about even a fraction of the malfeasance, you had to go searching. And to go searching, you had to know that it existed.

It was something as banal as a conference that first clued me in to that existence, sparking my initial suspicion about the full scope of what the NSA was perpetrating.

In the midst of my EPICSHELTER work, the PTC hosted a conference on China sponsored by the Joint Counterintelligence Training Academy (JCITA) for the Defense Intelligence Agency (DIA), an agency connected to the Department of Defense that specializes in spying on foreign militaries and foreign military–related matters. This conference featured briefings given by experts from all the intelligence components, the NSA, CIA, FBI, and military, about how the Chinese intelligence services were targeting the IC and what the IC could do to cause them trouble. Though China certainly interested me, this wasn’t the kind of work I would ordinarily have been involved in, so I didn’t pay the conference much mind until it was announced that the only technology briefer was unable to attend at the last minute. I’m not sure what the reason was for that absence—maybe flu, maybe kismet—but the course chair for the conference asked if there was anyone at the PTC who might be able to step in as a replacement, since it was too late to reschedule. One of the chiefs mentioned my name, and when I was asked if I wanted to give it a shot, I said yes. I liked my boss, and wanted to help him out. Also, I was curious, and relished the opportunity to do something that wasn’t about data deduplication for a change.

My boss was thrilled. Then he told me the catch: the briefing was the next day.

I called Lindsay and told her I wouldn’t be home. I was going to be up all night preparing the presentation, whose nominal topic was the intersection between a very old discipline, counterintelligence, and a very new discipline, cyberintelligence, coming together to try to exploit and thwart the adversary’s attempts to use the Internet to gather surveillance. I started pulling everything off
the NSA network (and off the CIA network, to which I still had access), trying to read every top secret report I could find about what the Chinese were doing online. Specifically, I read up on so-called intrusion sets, which are bundles of data about particular types of attacks, tools, and targets. IC analysts used these intrusion sets to identify specific Chinese military cyberintelligence or hacking groups, in the same way that detectives might try to identify a suspect responsible for a string of burglaries by a common set of characteristics or modus operandi.

The point of my researching this widely dispersed material was to do more than merely report on how China was hacking us, however. My primary task was to provide a summary of the IC’s assessment of China’s ability to electronically track American officers and assets operating in the region.

BOOK: Permanent Record
9.02Mb size Format: txt, pdf, ePub
ads

Other books

The Demon by The Demon
Suspicion of Vengeance by Barbara Parker
Not Quite a Mermaid by Linda Chapman